Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSandbox 3.0.7 Administration Guide
    3.0.7
    5.0.0
    4.4.6
    4.4.5
    4.4.4
    4.4.3
    4.4.2
    4.4.1
    4.4.0
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.0.5
    4.0.4
    4.0.3
    4.0.2
    4.0.1
    4.0.0
    3.2.4
    3.2.3
    3.2.2
    3.2.1
    3.2.0
    3.1.5
    3.1.4
    3.1.3
    3.1.2
    3.1.1
    3.1.0
    3.0.7
    3.0.6

    Interfaces

    Interfaces

    To view and manage interfaces, go to Network > Interfaces.

    This page displays the following information and options:

    Interface

    The interface name and description, where applicable.

    Failover IP will be listed under this field with the following descriptor:(cluster external port).

    port1 (administration port)

    port1 is hard-coded as the administration interface. You can select to enable or disable HTTP, SSH, Telnet access rights on port1. HTTPS is enabled by default. port1 can be used for Device mode, although a different, dedicated port is recommended.

    port2

    port2 can be used for Sniffer mode, Device mode, and inter-node communication within a cluster.

    port3 (VM outgoing interface)

    port3 is reserved for outgoing communication triggered by the execution of the files under analysis. It is recommended to put this interface on an isolated network behind a firewall.

    One special type of outgoing communication from a guest VM is used to connect to the Microsoft Windows activation server to activate the Windows Sandbox VM product keys. You must enable Allow Virtual Machines to access external network through outgoing port and setup the next hop gateway and DNS server to allow files running inside VMs to access the external network. Office licenses are verified through the VM machines, so internet access via port3 is required to contact Microsoft for the license activation.

    port4

    port4 can be used for Sniffer mode, Device mode, and inter-node communication within a cluster.

    port5/port6

    port5 and port 6 can be used for Sniffer mode, Device mode, and inter-node communication within a cluster. On FortiSandbox 2000E, 3000E and 3500D devices, port5 and port6 are 10G fiber ports. We recommend using these ports on a primary (master) node or secondary (primary slave) as communications ports with cluster workers (slaves).

    port7/port8

    port7 and port8 can be used for Sniffer mode, Device mode, and inter-node communication within a cluster.

    On FortiSandbox 3000D devices, port7 and port8 are 10G fiber ports. We recommend using these ports on a primary (master) node or secondary (primary slave) as communications ports with cluster workers (slaves).

    IPv4

    The IPv4 IP address and subnet mask of the interface.

    IPv6

    The IPv6 IP address and subnet mask of the interface.

    Interface Status

    		 The state of the interface; one of the following states:
    • Interface is up
    • Interface is down
    • Interface is being used by sniffer

    Link Status

    		 The link status.
    • Link up
    • Link down

    Access Rights

    The access rights associated with the interface. HTTPS is enabled by default on port1 or any other administrative port set through the CLI command set admin-port. You can select to enable HTTP, SSH, and Telnet access on the administrative port.

    PCAP

    Click the PCAP icon to sniff the traffic of an interface for up to 60 seconds then download the PCAP file in a ZIP format (maximum 100MB file size).

    Users can define the tcpdump filter to use, such as host 172.10.1.1 and TCP port 443.

    Only one capture is allowed to run at a time for each port. Sniffing ports are combined and treated as a single port.

    Edit

    Select the interface and click Edit from the toolbar to edit the interface.

    The FortiSandbox uses port 3 to allow scanned files to access the Internet. The Internet visiting behavior is an important factor to determine if a file is malicious.

    As malicious files are infectious, you should ensure that the connection for port 3 is able to both access the Internet and be isolated. The connection should not belong to or be able to access any internal subnet that needs to be protected. Fortinet recommends placing this interface on an isolated network behind a firewall.

    For more information on FSA-1000D, FSA-3000D, FSA-2000E, FSA-3500D, FSA-3000E ports, see Default Port Information .
    tooltip icon

    You can setup more administration ports with CLI command set admin-port.
    Note

    The following subnets are reserved for use by FortiSandbox. Do not configure interface IP addresses as one falling into this range.

    • 192.168.56.0/24
    • 192.168.57.0/24
    • 192.168.250.0/24
    Previous
    Next

    Interfaces

    Interfaces

    To view and manage interfaces, go to Network > Interfaces.

    This page displays the following information and options:

    Interface

    The interface name and description, where applicable.

    Failover IP will be listed under this field with the following descriptor:(cluster external port).

    port1 (administration port)

    port1 is hard-coded as the administration interface. You can select to enable or disable HTTP, SSH, Telnet access rights on port1. HTTPS is enabled by default. port1 can be used for Device mode, although a different, dedicated port is recommended.

    port2

    port2 can be used for Sniffer mode, Device mode, and inter-node communication within a cluster.

    port3 (VM outgoing interface)

    port3 is reserved for outgoing communication triggered by the execution of the files under analysis. It is recommended to put this interface on an isolated network behind a firewall.

    One special type of outgoing communication from a guest VM is used to connect to the Microsoft Windows activation server to activate the Windows Sandbox VM product keys. You must enable Allow Virtual Machines to access external network through outgoing port and setup the next hop gateway and DNS server to allow files running inside VMs to access the external network. Office licenses are verified through the VM machines, so internet access via port3 is required to contact Microsoft for the license activation.

    port4

    port4 can be used for Sniffer mode, Device mode, and inter-node communication within a cluster.

    port5/port6

    port5 and port 6 can be used for Sniffer mode, Device mode, and inter-node communication within a cluster. On FortiSandbox 2000E, 3000E and 3500D devices, port5 and port6 are 10G fiber ports. We recommend using these ports on a primary (master) node or secondary (primary slave) as communications ports with cluster workers (slaves).

    port7/port8

    port7 and port8 can be used for Sniffer mode, Device mode, and inter-node communication within a cluster.

    On FortiSandbox 3000D devices, port7 and port8 are 10G fiber ports. We recommend using these ports on a primary (master) node or secondary (primary slave) as communications ports with cluster workers (slaves).

    IPv4

    The IPv4 IP address and subnet mask of the interface.

    IPv6

    The IPv6 IP address and subnet mask of the interface.

    Interface Status

    		 The state of the interface; one of the following states:
    • Interface is up
    • Interface is down
    • Interface is being used by sniffer

    Link Status

    		 The link status.
    • Link up
    • Link down

    Access Rights

    The access rights associated with the interface. HTTPS is enabled by default on port1 or any other administrative port set through the CLI command set admin-port. You can select to enable HTTP, SSH, and Telnet access on the administrative port.

    PCAP

    Click the PCAP icon to sniff the traffic of an interface for up to 60 seconds then download the PCAP file in a ZIP format (maximum 100MB file size).

    Users can define the tcpdump filter to use, such as host 172.10.1.1 and TCP port 443.

    Only one capture is allowed to run at a time for each port. Sniffing ports are combined and treated as a single port.

    Edit

    Select the interface and click Edit from the toolbar to edit the interface.

    The FortiSandbox uses port 3 to allow scanned files to access the Internet. The Internet visiting behavior is an important factor to determine if a file is malicious.

    As malicious files are infectious, you should ensure that the connection for port 3 is able to both access the Internet and be isolated. The connection should not belong to or be able to access any internal subnet that needs to be protected. Fortinet recommends placing this interface on an isolated network behind a firewall.

    For more information on FSA-1000D, FSA-3000D, FSA-2000E, FSA-3500D, FSA-3000E ports, see Default Port Information .
    tooltip icon

    You can setup more administration ports with CLI command set admin-port.
    Note

    The following subnets are reserved for use by FortiSandbox. Do not configure interface IP addresses as one falling into this range.

    • 192.168.56.0/24
    • 192.168.57.0/24
    • 192.168.250.0/24
    Previous
    Next